suricata/doc/INSTALL

About
=====
Suricata is a multi-threaded intrusion detection/prevention engine.
engine available from the Open Information Security Foundation 
(http://www.openinfosecfoundation.org).

Suricata and the HTP library are licensed under the GPLv2. A copy of this
license is available in this tarball, or at:
http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt


Build Requirements
==================
gcc
make
g++

If building from the git repository you will also need:
automake
autoconf
libtool


Library Requirements
====================
libpcre
libnet 1.1.x
libyaml
libpcap
libnetfilter-queue and libfnetlink (optional for use with 
  ./configure --enable-nfq)
libpthread  (should be part of most glibc's)
libpfring >= 4.0   (optional for use with ./configure --enable-pfring)
libz
htp


For Debian/Ubuntu Users
=======================

    sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \
    build-essential autoconf automake libtool libpcap-dev libnet1-dev \
    libyaml-0-1 libyaml-dev zlib1g zlib1g-dev

    ### HTP
    wget http://www.openinfosecfoundation.org/download/htp-current.tar.gz
    tar -xzvf htp-current.tar.gz
    cd htp-<version>
    ./configure
    make
    make install
    ldconfig

    #if using ubuntu-8.04 to use prebuilt yaml packages you need to
    uncomment the following two lines in your /etc/apt/sources.list to
    enable hardy-backports.
    #deb http://us.archive.ubuntu.com/ubuntu/ hardy-backports main
    restricted universe multiverse
    #deb-src http://us.archive.ubuntu.com/ubuntu/ hardy-backports main
    restricted universe multiverse

    #if building with IPS capabilities via ./configure --enable-nfq
    sudo apt-get -y install libnetfilter-queue-dev libnetfilter-queue1
    libnfnetlink-dev libnfnetlink0

    ### Suricata:
    wget http://www.openinfosecfoundation.org/download/suricata-current.tar.gz
    tar -xvzf suricata-current.tar.gz
    cd suricata.<version>
    
    If building from git sources:
    bash autogen.sh
    
    #else
    ./configure
    sudo mkdir /var/log/suricata/
    make
    make install



For Fedora Core Users
=====================

    sudo yum -y install libpcap libpcap-devel libnet libnet-devel pcre \
    pcre-devel gcc gcc-c++ automake autoconf libtool make libyaml \
    libyaml-devel zlib zlib-devel 

    ### HTP
    wget http://www.openinfosecfoundation.org/download/htp-current.tar.gz
    tar -xzvf htp-current.tar.gz
    cd htp-<version>
    ./configure
    make
    make install
    ldconfig

    #if building with IPS capabilities via ./configure --enable-nfq
    sudo yum -y install libnfnetlink libnfnetlink-devel \
    libnetfilter_queue libnetfilter_queue-devel

    ### Suricata:
    #Retrieve and install Suricata
    wget http://www.openinfosecfoundation.org/download/suricata-current.tar.gz
    tar -xvzf suricata-current.tar.gz
    cd suricata.<version>
    
    If building from git sources:
    bash autogen.sh
    
    #else
    ./configure
    sudo mkdir /var/log/suricata/
    make
    make install



For CentOS5 Users
=================

    #You will be required to use the fedora EPEL repository for some 
    packages to enable this repo it is the same for i386 or x86_64
    sudo rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm

    sudo yum -y install libpcap libpcap-devel libnet libnet-devel pcre \
    pcre-devel gcc automake autoconf libtool make gcc-c++ libyaml \
    libyaml-devel zlib zlib-devel

    ### HTP
    wget http://www.openinfosecfoundation.org/download/htp-current.tar.gz
    tar -xzvf htp-current.tar.gz
    cd htp-<version>
    ./configure
    make
    make install
    ldconfig

    #if building with IPS capabilities via ./configure --enable-nfq there
    are no pre-built packages in CentOS base or EPEL for libnfnetlink and
    libnetfilter_queue.
    #If you wish you can use the rpms in the emerging threats CentOS 5
    repo.

    #i386
    sudo rpm -Uvh http://www.emergingthreats.net/emergingrepo/i386/libnetfilter_queue-0.0.15-1.i386.rpm \
    
    http://www.emergingthreats.net/emergingrepo/i386/libnetfilter_queue-devel-0.0.15-1.i386.rpm \
    http://www.emergingthreats.net/emergingrepo/i386/libnfnetlink-0.0.30-1.i386.rpm \
    http://www.emergingthreats.net/emergingrepo/i386/libnfnetlink-devel-0.0.30-1.i386.rpm
    
    #x86_64
    sudo rpm -Uvh http://www.emergingthreats.net/emergingrepo/x86_64/libnetfilter_queue-0.0.15-1.x86_64.rpm \
    http://www.emergingthreats.net/emergingrepo/x86_64/libnetfilter_queue-devel-0.0.15-1.x86_64.rpm \
    http://www.emergingthreats.net/emergingrepo/x86_64/libnfnetlink-0.0.30-1.x86_64.rpm \
    http://www.emergingthreats.net/emergingrepo/x86_64/libnfnetlink-devel-0.0.30-1.x86_64.rpm


    ### Suricata:
    #Retrieve and install Suricata
    wget http://www.openinfosecfoundation.org/download/suricata-current.tar.gz
    tar -xvzf suricata-current.tar.gz
    cd suricata.<version>
    
    If building from git sources:
    bash autogen.sh
    
    #else
    ./configure
    sudo mkdir /var/log/suricata/
    make
    make install



For Mac OS X Users
==================
    # The following instructions has been tested with Snow Leopard, 
    Mac OS X 10.6.1.
    # First of all you need an essential developmnet environment like 
    gcc/make. You can also download and install a set basic set of
    development tools Xcode from
    http://developer.apple.com/technology/xcode.html 
    # You need macports to fetch the depends
    # By default macports place the libraries at /opt/local/lib and
    /opt/local/include. The configuration should take care of this.

    port install autoconf automake gcc44 make libnet11 libpcap pcre \
    libyaml libtool
    export AC_PROG_LIBTOOL=$( which libtool )

    ### HTP
    wget http://www.openinfosecfoundation.org/download/htp-current.tar.gz
    tar -xzvf htp-current.tar.gz
    cd htp-<version>
    ./configure
    make
    make install
    ldconfig

    ### Suricata:
    #Retrieve and install Suricata
    wget http://www.openinfosecfoundation.org/download/suricata-current.tar.gz
    tar -xvzf suricata-current.tar.gz
    cd suricata.<version>
    
    If building from git sources:
    bash autogen.sh
    
    #else
    ./configure
    sudo mkdir /var/log/suricata/
    make
    make install


    #If autojunk, or ./configure fail, re export AC_PROG_LIBTOOL and try
    one more time.
    
    

For FreeBSD 8 Users
===================

    pkg_add -r autoconf262 automake19 gcc45 libyaml pcre libtool \
    libnet11 libpcap gmake

    ### HTP
    wget http://www.openinfosecfoundation.org/download/htp-current.tar.gz
    tar -xzvf htp-current.tar.gz
    cd htp-<version>
    ./configure
    make
    make install
    ldconfig

    ### Suricata:
    #Retrieve and install Suricata
    wget http://www.openinfosecfoundation.org/download/suricata-current.tar.gz
    tar -xvzf suricata-current.tar.gz
    cd suricata.<version>
    
    If building from git sources:
    bash autogen.sh
    
    #else
    ./configure
    sudo mkdir /var/log/suricata/
    make
    make install
    
    
    #additionally FreeBSD 8 has support for zero-copy bpf in libpcap to
    try out this functionality issue the following command and then 
    start,restart the engine.
    
    sysctl net.bpf.zerocopy_enable=1

    #if you would like to build suricata on FreeBSD with IPS capabilities with IPFW via --enable-ipfw.
    You must do the following to enable ipfw and divert socket support before starting the engine
    with -d.

    #edit /etc/rc.conf and add or modify the following lines
    firewall_enable="YES"
    firewall_type="open"

    #edit /boot/loader.conf and add or modify the following lines
    ipfw_load="YES"
    ipfw_nat_load="YES"
    ipdivert_load="YES"
    dummynet_load="YES"
    libalias_load="YES"


Basic Installation
==================


   The details below contain general installation instructions and 
information.  

   As development on the Suricata engine progresses these instructions
will be updated.  

   As an open source project, it is important that you (the users) provide 
feedback that allows OISF to identify and address your needs rapidly.  
Therefore, if you identify any bugs or difficulties in the installation 
process, please forward detailed information to OISF using the following
email address:

bugreports@openinfosecfoundation.org

All submissions will be reviewed, prioritized and addressed for inclusion
in future releases of the Suricata engine and/or this document.


   The configure shell script attempts to determine correct values for
the various system-dependent variables used during the compile process.  
The values identified in this process are used to create a Makefile in 
each directory of the package.  One or more .h files may also be created 
at this time containing required system-dependent definitions.  The files
created are: 
- a shell script config.status, this script can be utilized in 
the future to recreate the current configuration 
- a config.cache file that saves the results of its tests to speed up 
reconfiguring
- and a config.log file that contains compiler output (useful mainly for 
debugging configure)


   If your configuration requires unique actions to compile the package
and/or you significantly modify the configure shell script, please
forward the details of your requirements and/or solution using the
following email address:

bugreports@openinfosecfoundation.org

All submissions will be addressed for inclusion in the next release.  


   If at some point config.cache contains results that are no longer 
required, the cache can be removed and/or edited to eliminate those
results.


   The file configure.in is used to create configure utilizing a 
program called autoconf.  The configure.in file is only required if
you need to change or regenerate configure using a newer version of
autoconf.


General Compile Instructions for this Package are:
==================================================


  1. cd to the directory containing the Suricata package source code and 
     enter ./configure to configure the package for your system.  If 
     using csh on an old version of System V, users might need to enter
     sh ./configure instead to prevent csh from trying to execute
     configure automatically.

     This process (running configure) will take some time.  While this 
     process runs, messages detailing the configuration progress (i.e.
     which features it is checking for, etc...) will be displayed on the
     screen.
 
  2. Type make to compile the package.

  3. Type make install to install the programs and any data files and
     documentation.

  4. The program binaries and object files can be removed from the
     source code directory by typing make clean.


Ruleset and Log File Details
============================


   Once the Suricata engine is compiled and installed, users must define
(or reference) the location that the ruleset is stored.  Suricata is 
compatible with standard Snort rulesets.  A sample standard configuration
file can be found in the Suricata base directory.  This file is called 
'suricata.yaml'.  In this file, configuration details are entered that set
the location for log files, log file and alert formats, and rule variable
definitions.

Network Variables are in the format of 

VARIABLE:"[X.Y.Z.A/NETMASK]"

For example:

The Variable HOME_NET (for a home network with the IP range 
192.168.0.0/16) would be represented as 

HOME_NET:"[192.168.0.0/16]" 


When setting a variable to the value of another variable, the variable 
referenced must be quoted.  For example to set the variable HTTP_SERVERS to HOME_NET, HTTP_SERVERS would be configured as:

HTTP_SERVERS:"$HOME_NET".



Compilers and Options
=====================

   
   Some systems may require unique or unusual options or linking in the 
compile process that the `configure' script is not able to identify
automatically. Users are able to enter initial values for configure
variables by setting them in the environment.  

For Example:
- a Bourne-compatible shell, would require a command line entry as 
displayed below:
     CC=c89 CFLAGS=-O2 LIBS=-lposix ./configure

- systems that have the env program, will utilize the following command
line entry:
     env CPPFLAGS=-I/usr/local/include LDFLAGS=-s ./configure



Compiling For Multiple Architectures
====================================


   The Suricata engine package may be compiled for more than one kind of
computer simultaneously by placing the object files for each architecture
in their own directory.  


To do this, users must use a version of make that supports the `VPATH'
variable, such as GNU make. 

- cd to the directory where the object files and executables are to be
stored and run the `configure script.  configure automatically searches
for the source code in the directory that configure is stored in and in
‘..'.


   If a user is using a make that does not supports the VPATH variable, 
the package can only be compiled for one architecture at a time in the
source code directory.  After completing package installation for one
architecture, make distclean must be executed before reconfiguring for
another architecture.


Installation Names
==================


   By default, make install will install the package's files in
/usr/local/bin, /usr/local/man, etc...  An installation prefix other than
/usr/local can be configured by giving configure the option --prefix=PATH.

   Separate installation prefixes can be configured for 
architecture-specific files and architecture-independent files.  By
entering --exec-prefix=PATH into the configure, the package will use
PATH as the prefix for installing programs and libraries.  Documentation 
and other data files will still use the regular prefix.

   If supported by the package, users can configure programs to be 
installed with an extra prefix or suffix on their names by giving 
configure the option --program-prefix=PREFIX or --program-suffix=SUFFIX.


Configure Options
==================

./configure --help
`configure' configures this package to adapt to many kinds of systems.

Usage: ./configure [OPTION]... [VAR=VALUE]...

To assign environment variables (e.g., CC, CFLAGS...), specify them as
VAR=VALUE.  See below for descriptions of some of the useful variables.

Defaults for the options are specified in brackets.

Configuration:
  -h, --help              display this help and exit
      --help=short        display options specific to this package
      --help=recursive    display the short help of all the included
                          packages
  -V, --version           display version information and exit
  -q, --quiet, --silent   do not print `checking...' messages
      --cache-file=FILE   cache test results in FILE [disabled]
  -C, --config-cache      alias for `--cache-file=config.cache'
  -n, --no-create         do not create output files
      --srcdir=DIR        find the sources in DIR [configure dir or `..']

Installation directories:
  --prefix=PREFIX         install architecture-independent files in PREFIX
                          [/usr/local]
  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
                          [PREFIX]

By default, `make install' will install all the files in
`/usr/local/bin', `/usr/local/lib' etc.  You can specify
an installation prefix other than `/usr/local' using `--prefix',
for instance `--prefix=$HOME'.

For better control, use the options below.

Fine tuning of the installation directories:
  --bindir=DIR            user executables [EPREFIX/bin]
  --sbindir=DIR           system admin executables [EPREFIX/sbin]
  --libexecdir=DIR        program executables [EPREFIX/libexec]
  --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
  --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
  --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
  --libdir=DIR            object code libraries [EPREFIX/lib]
  --includedir=DIR        C header files [PREFIX/include]
  --oldincludedir=DIR     C header files for non-gcc [/usr/include]
  --datarootdir=DIR       read-only arch.-independent data root [PREFIX/share]
  --datadir=DIR           read-only architecture-independent data [DATAROOTDIR]
  --infodir=DIR           info documentation [DATAROOTDIR/info]
  --localedir=DIR         locale-dependent data [DATAROOTDIR/locale]
  --mandir=DIR            man documentation [DATAROOTDIR/man]
  --docdir=DIR            documentation root [DATAROOTDIR/doc/PACKAGE]
  --htmldir=DIR           html documentation [DOCDIR]
  --dvidir=DIR            dvi documentation [DOCDIR]
  --pdfdir=DIR            pdf documentation [DOCDIR]
  --psdir=DIR             ps documentation [DOCDIR]

Program names:
  --program-prefix=PREFIX            prepend PREFIX to installed program names
  --program-suffix=SUFFIX            append SUFFIX to installed program names
  --program-transform-name=PROGRAM   run sed PROGRAM on installed program names

System types:
  --build=BUILD     configure for building on BUILD [guessed]
  --host=HOST       cross-compile to build programs to run on HOST [BUILD]

Optional Features:
  --disable-option-checking  ignore unrecognized --enable/--with options
  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
  --disable-dependency-tracking  speeds up one-time build
  --enable-dependency-tracking   do not reject slow dependency extractors
  --enable-shared[=PKGS]  build shared libraries [default=yes]
  --enable-static[=PKGS]  build static libraries [default=yes]
  --enable-fast-install[=PKGS]
                          optimize for fast installation [default=yes]
  --disable-libtool-lock  avoid locking (might break parallel builds)
  --enable-gccprotect  Detect and use gcc hardening options
  --enable-nfqueue  Enable NFQUEUE support for inline IDP
  --enable-pfring  Enable Native PF_RING support
  --enable-unittests  Enable compilation of the unit tests
  --enable-debug  Enable debug output

Optional Packages:
  --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
  --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
  --with-pic              try to use only PIC/non-PIC objects [default=use
                          both]
  --with-gnu-ld           assume the C compiler uses GNU ld [default=no]
  --with-libpcre-includes=DIR  libpcre include directory
  --with-libpcre-libraries=DIR    libpcre library directory
  --with-libyaml-includes=DIR  libyaml include directory
  --with-libyaml-libraries=DIR    libyaml library directory
  --with-libpthread-includes=DIR  libpthread include directory
  --with-libpthread-libraries=DIR    libpthread library directory
  --with-libnfnetlink-includes=DIR  libnfnetlink include directory
  --with-libnfnetlink-libraries=DIR    libnfnetlink library directory
  --with-libnetfilter_queue-includes=DIR  libnetfilter_queue include directory
  --with-libnetfilter_queue-libraries=DIR    libnetfilter_queue
library directory
  --with-libnet-includes=DIR     libnet include directory
  --with-libnet-libraries=DIR    libnet library directory
  --with-libpfring-includes=DIR  libpfring include directory
  --with-libpfring-libraries=DIR    libpfring library directory
  --with-libpcap-includes=DIR  libpcap include directory
  --with-libpcap-libraries=DIR    libpcap library directory
  --with-libhtp-includes=DIR  libhtp include directory
  --with-libhtp-libraries=DIR    libhtp library directory

Some influential environment variables:
  CC          C compiler command
  CFLAGS      C compiler flags
  LDFLAGS     linker flags, e.g. -L<lib dir> if you have libraries in a
              nonstandard directory <lib dir>
  LIBS        libraries to pass to the linker, e.g. -l<library>
  CPPFLAGS    C/C++/Objective C preprocessor flags, e.g. -I<include dir> if
              you have headers in a nonstandard directory <include dir>
  CPP         C preprocessor

Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.